Reduce build systems in master

tridge at tridge at
Tue Sep 6 17:41:40 MDT 2011

Hi Simo,

 > It's not ok for me.
 > I need a few samba4 libs already and I need to use MIT.

Can you clarify what you mean here? Are you currently using the s3-waf
build to build MIT-linked libraries?

If what you are saying is that you'd like s4 to build with MIT
kerberos then I think that is a quite separate question from what
Andrew is asking about. 

 > So I need to build as mush as I can of the code without having to use
 > the embedded KDC or heimdal libraries.

That really comes in two parts. If you don't want to use the embedded
KDC, then just don't start it (ie. use "server services -= kdc") or
just don't start Samba as a domain controller.

If you want to build it with MIT kerberos libraries then someone needs
to put in the time to get all of the current kerberos code to work
without Heimdal. Quite a bit of effort has been put into that in the
past, but it hasn't been achieved, and the biggest part of it won't be
the initial work to make it build/link, the biggest part will be the
ongoing maintainence effort to ensure it stays working as we discover
new idiosyncrasies in AD that need kerberos changes. We quite commonly
need to make changes to the underlying kerberos implementation in
order to correctly interoperate with Windows. We can't have the
situation where we need to wait for MIT to release a bugfix before we
can fix interoperability problems with Windows.

For example, Andrew and I had to make a change to the Heimdal KDC code
yesterday to deal with an issue with cross-domain trusts in a
forest. We were able to make that change quickly as we have the
Heimdal sources in-tree, and we know we can work with Love to get the
change (or an equivalent change) upstream very quickly. I'm not at all
confident that will work with MIT.

So if you really want to build with MIT then I can see only one way to
achieve that. First off, someone (maybe someone from RedHat?) would
need to put the effort in to get the current code to build with MIT
kerberos. Then when it breaks (which it will!) we'd have to just
accept that it is broken until whoever volunteers to maintain the MIT
support fixes it. We could not have support for MIT kerberos be an
autobuild requirement or we will end up regularly stalling our AD
development for long periods.

One way to think of this is that kerberos is as fundamental a part of
Samba as an AD DC as SMB is for Samba as a file server. Can you
imagine trying to support building Samba3 with an external SMB server
library provided by another project?

However, I don't think any of this is relevent to the question that
Andrew asked at the start of this thread. The source3/ waf build
currently doesn't allow you to build any of the s4 libraries with MIT
kerberos as far as I know. 

Cheers, Tridge

More information about the samba-technical mailing list